shellshock update: linux has been patched, mac not so much…

‘Shellshock’ Bug Spells Trouble for Web Security
by Brian Krebs

The bug is being compared to the recent Heartbleed vulnerability because of its ubiquity and sheer potential for causing havoc on Internet-connected systems — particularly Web sites. Worse yet, experts say the official patch for the security hole is incomplete and could still let attackers seize control over vulnerable systems.

The problem resides with a weakness in the GNU Bourne Again Shell (Bash), the text-based, command-line utility on multiple Linux and Unix operating systems. Researchers discovered that if Bash is set up to be the default command line utility on these systems, it opens those systems up to specially crafted remote attacks via a range of network tools that rely on it to execute scripts, from telnet and secure shell (SSH) sessions to Web requests.

According to several security firms, attackers are already probing systems for the weakness, and that at least two computer worms are actively exploiting the flaw to install malware. Jamie Blasco, labs director at AlienVault, has been running a honeypot on the vulnerability since yesterday to emulate a vulnerable system.

“With the honeypot, we found several machines trying to exploit the Bash vulnerability,” Blasco said. “The majority of them are only probing to check if systems are vulnerable. On the other hand, we found two worms that are actively exploiting the vulnerability and installing a piece of malware on the system. This malware turns the systems into bots that connect to a C&C server where the attackers can send commands, and we have seen the main purpose of the bots is to perform distributed denial of service attacks.”

The vulnerability does not impact Microsoft Windows users (ed. for a change), but there are patches available for Linux and Unix systems. In addition, Mac users are likely vulnerable, although there is no official patch for this flaw from Apple yet. I’ll update this post if we see any patches from Apple.

The U.S.-CERT’s advisory includes a simple command line script that Mac users can run to test for the vulnerability. To check your system from a command line, type or cut and paste this text:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

 this is a test

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

US-CERT has a list of operating systems that are vulnerable. Red Hat and several other Linux distributions have released fixes for the bug, but according to US-CERT the patch has an issue that prevents it from fully addressing the problem.

The Shellshock bug is being compared to Heartbleed because it affects so many systems; determining which are vulnerable and developing and deploying fixes to them is likely to take time. However, unlike Heartbleed, which only allows attackers to read sensitive information from vulnerable Web servers, Shellshock potentially lets attackers take control over exposed systems.

“This is going to be one that’s with us for a long time, because it’s going to be in a lot of embedded systems that won’t get updated for a long time,” said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley. “The target computer has to be accessible, but there are a lot of ways that this turns accessibility into full local code execution. For example, could easily write a scanner that would basically scan every Web site on the planet for vulnerable (Web) pages.”

Stay tuned. This one could get interesting very soon.

which reminds me…

according to the “universal chart of telling when things actually happened” that i made several years ago, in late 1995 i lived in a rooming house in west seattle with a couple of crazy people, one of whom was Regan Fraser, older brother of Brendan Fraser, actor in such movies as “George Of The Jungle” and the Mummy series. at the time (and, to a certain extent, still), i was more or less ignorant of the exploits of brendan, so i wasn’t as “wowed” by my brush with the sibling of a star as i might have been otherwise, but it was pretty memorable anyway.

at the time, i was working as a micro$lut, doing the evil bidding of the great Gates himself. i had lulled myself into a false sense of security, because, even though i was working at microsoft headquarters (i never actually had an office on campus in redmond, but i had several “off campus” offices), i was working in their mac division, and never actually worked with windoesn’t until several years later.

this was back in the dark ages, when you could actually telnet to different servers, and, for the most part, there was no email spam, in part because it was before the discovery of the Word Concept Virus, which was capable of being sent over email. prior to the word concept virus, you actually had to have physical access to the computer, and install viruses from a disk, for them to be able to propagate… in other words, computer security was light-years away from where we are now.

when regan heard that i was working with networked computers, he came to me with a bold plan to get both of us filthy rich — or something — a prominent part of which involved me gaining access to his “rich brother’s” bank accounts over internet.

fortunately for me, i was just at the beginning of my realisation that i was, deep down, a computer geek, and also i was a rank newbie when it came to internet — i had survived perfectly well up until that time using a sneaker-net when i had to share documents, and i was just beginning to imagine why i would ever want anything more than that…

so i “tactfully” told him that, while what he proposed was likely possible, he was talking to the wrong guy when it came to actually cracking a computer and stealing stuff.

later, after i had moved into my own apartment, i heard, third-hand, that he had actually been arrested when it was discovered that he had broken into his “rich brother’s” house, stolen some credit cards, and had actually gone to a bank with those cards, claiming to be his “rich brother”… i never actually confirmed any of this, but reading through the tale of master foo reminded me of my experience with regan fraser…

Master Foo and the Script Kiddie

Master Foo and the Script Kiddie

A stranger from the land of Woot came to Master Foo as he was eating the morning meal with his students.

“I hear y00 are very l33t,” he said. “Pl33z teach m3 all y00 know.”

Master Foo’s students looked at each other, confused by the stranger’s barbarous language. Master Foo just smiled and replied: “You wish to learn the Way of Unix?”

“I want to b3 a wizard hax0r,” the stranger replied, “and 0wn ever3one’s b0xen.”

“I do not teach that Way,” replied Master Foo.

The stranger grew agitated. “D00d, y00 r nothing but a p0ser,” he said. “If y00 n00 anything, y00 wud t33ch m3.”

“There is a path,” said Master Foo, “that might bring you to wisdom.” The master scribbled an IP address on a piece of paper. “Cracking this box should pose you little difficulty, as its guardians are incompetent. Return and tell me what you find.”

The stranger bowed and left. Master Foo finished his meal.

Days passed, then months. The stranger was forgotten.

Years later, the stranger from the land of Woot returned.

“Damn you!” he said, “I cracked that box, and it was easy like you said. But I got busted by the FBI and thrown in jail.”

“Good,” said Master Foo. “You are ready for the next lesson.” He scribbled an IP address on another piece of paper and handed it to the stranger.

“Are you crazy?” the stranger yelled. “After what I’ve been through, I’m never going to break into a computer again!”

Master Foo smiled. “Here,” he said, “is the beginning of wisdom.”

On hearing this, the stranger was enlightened.